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DETAILED ACTION 



Information Disclosure Statement 

The information disclosure statements filed January 12, 2001 and February 8, 
2002 have been placed in the application file and the information referred to therein has 
been considered as to the merits. 



The abstract of the disclosure does not commence on a separate sheet in 
accordance with 37 CFR 1 .52(b)(4). A new abstract of the disclosure is required and 
must be presented on a separate sheet, apart from any other text. 

The listing of references in the specification is not a proper information disclosure 
statement. 37 CFR 1 .98(b) requires a list of all patents, publications, or other 
information submitted for consideration by the Office, and MPEP § 609 A(1) states, "the 
list may not be incorporated into the specification but must be submitted in a separate 
paper." Therefore, unless the references have been cited by the examiner on form 
PTO-892, they have not been considered. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 



Specification 
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(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1 ), (2), and (4) of section 371 (c) of this 
title before the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AIPA) do not apply to the examination of this application as the application 
being examined was not (1) filed on or after November 29, 2000, or (2) voluntarily 
published under 35 U.S.C. 122(b). Therefore, this application is examined under 35 
U.S.C. 102(e) prior to the amendment by the AIPA (pre-AlPA 35 U.S.C. 102(e)). 

Claims 1-23 are rejected under 35 U.S.C. 102(e) as being anticipated by U.S. 
patent 5,6,055,236 granted to Nessett et al. 

Regarding claim 1, Nessett meets the claimed limitations as follows: 
"A method for securely communicating packets between a first computer device and a 
second computer device through a s packet-switched data transmission network 
comprising intermediate computer devices, where at least one of said computer devices 
performs a network address translation and/or a protocol conversion, the method 
comprising the steps of 

determining what network address translations, if any, occur on packets 
transmitted between the first computer device and the second computer device, 

taking packets conforming to a first protocol and encapsulating them into packets 
conforming to a second protocol, which second protocol is capable of traversing 
network address translations, 

transmitting said packets conforming to said second protocol from the first 
computer device to the second computer device and 
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encapsulating said transmitted packets conforming to said second protocol into 
packets conforming to said first protocol." see column 7, lines 8-33; column 13, line 32 
to column 38, line 15 and Figure 1 . 

Regarding claim 2, Nessett meets the claimed limitations as follows: 
"A method according to claim 1 , wherein the step of taking packets conforming to a first 
protocol and encapsulating them into packets conforming to a second protocol 
comprises the substeps of taking packets conforming to the Internet Protocol, 
processing said packets according to the IPSEC protocol suite and encapsulating the 
processed packets into packets conforming to the User Datagram Protocol." see column 
9, line 63 to column 10, line 4 and column 10, lines 35-40. 

Regarding claim 3, Nessett meets the claimed limitations as follows: 
"A method according to claim 1 , wherein the step of taking packets conforming to a first 
protocol and encapsulating them into packets conforming to a second protocol 
comprises the substeps of: 

taking packets conforming to the Internet Protocol, 

processing said packets according to the IPSEC protocol suite and 

encapsulating the processed packets into packets conforming to the 
Transmission Control Protocol." see column 9, lines 55-62 and column 10, lines 35-40. 

Regarding claim 4, Nessett meets the claimed limitations as follows: 
"A method according to claim 1 , further comprising the step of compensating for the 
network address translations on said second protocol in the packets that are transmitted 
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from the first computer device to the second computer device." see column 15, line 63 
to column 16, line 39. 

Regarding claim 5, Nessett meets the claimed limitations as follows: 
"A method according to claim 4, wherein said step of compensating for the network 
address translations comprises a step of performing address translation based on the 
information obtained in the step of determining what network address translations, if 
any, occur on packets transmitted between the first computer device and the second 
computer device." see column 15, line 63 to column 16, line 39. 

Regarding claim 6, Nessett meets the claimed limitations as follows: 
"A method according to claim 5, wherein said step of compensating for the network 
address translations further comprises a step of performing port number translation 
based on the information obtained in the step of determining what network address 
translations, if any, occur on packets transmitted between the first computer device and 
the second computer device." see column 15, line 63 to column 16, line 39. 

Regarding claim 7, Nessett meets the claimed limitations as follows: 
"A method according to claim 1 , additionally comprising the step of periodically 
transmitting keepalive packets between the first computer device and the second 
computer device to ensure that the network address translations, if any, occurring on 
packets transmitted between the first computer device and the second computer device 
stay the same." see column 21, lines 17-19. 

Regarding claim 8, Nessett meets the claimed limitations as follows: 
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"A method for conditionally setting up a secure communication connection between a 
first computer device and a second computer device through a packet-switched data 
transmission network comprising intermediate computer devices, where at least one of 
said computer devices performs a network address translation and/or a protocol 
conversion, the method comprising the steps of: 

finding out, whether or not the second computer device supports a 
communication method where: it is determined what network address translations, if 
any, occur on packets transmitted between the first computer device and the second 
computer device; packets are taken that conform to a first protocol and encapsulated 
into packets that conform to a second protocol, which second protocol is capable of 
traversing network address translations; said packets conforming to said second 
protocol are transmitted from the first computer device to the second computer device; 
and said transmitted packets conforming to said second protocol are decapsulated into 
packets conforming to said first protocol, 

as a response to a finding indicating that the second computer device supports 
said communication method, setting up a secure communication connection between 
the first computer device and the second computer device in which communication 
connection said communication method is employed and 

as a response to a finding indicating that the second computer device does not 
support said communication method, disabling the use of said communication method 
between the first and the second computer devices." see column 7, lines 8-33; column 
13, line 32 to column 38, line 15 and Figure 1. 
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Regarding claim 9, Nessett meets the claimed limitations as follows: 
"A method for tunnelling packets between a first computer device and a second 
computer device through a packet-switched data transmission network comprising 
intermediate computer devices, where at least one of said computer devices performs a 
network address translation and/or a protocol conversion, the method comprising the 
steps of: 

establishing a bidirectional tunnelling mode between the first computer device 
and the second computer device by exchanging packets conforming to a secure 
communication protocol, 

taking packets conforming to a first protocol and encapsulating them at the first 
computer device into packets conforming to a second protocol, which second protocol is 
capable of traversing network address translations, 

transmitting said packets conforming to said second protocol from the first 
computer device to the second computer device, 

decapsulating said transmitted packets conforming to said second protocol into 
packets conforming to said first protocol at the second computer device, 

obtaining information about the address translations occurred on packets 
transmitted between the first computer device and the second computer device and 

using said obtained information to modify the established bidirectional tunnelling 
mode between the first computer device and the second computer device." see column 
7, lines 8-33; column 13, line 32 to column 38, line 15 and Figure 1. 

Regarding claim 10, Nessett meets the claimed limitations as follows: 
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"A method according to claim 9, wherein the step of obtaining information about the 
address translations occurred on packets transmitted between the first computer device 
and the second computer device comprises the substeps of: 

transmitting a packet between the first computer device and the second 
computer device, said packet comprising a header part and a payload part, and 

comparing a network address transmitted in said payload part to a network 
address transmitted in said header part in order to find out what changes have occurred 
on said network address transmitted in said header part." see column 23, lines 30-45. 

Regarding claim 1 1 , Nessett meets the claimed limitations as follows: 
"A method according to claim 9, additionally comprising the step of periodically 
transmitting keepalive packets between the first computer device and the second 
computer device to ensure that the network address translations, if any, occurring on 
packets transmitted between the first computer device and the second computer device 
stay the same." see column 21, lines 17-19. 

Regarding claim 12, Nessett meets the claimed limitations as follows: 
"A method according to claim 9, wherein the step of using said obtained information to 
modify the operation of the tunneling of packets comprises the substep of introducing an 
address translation before the encapsulation of packets in order to compensate for the 
network address translations that occur on packets transmitted between the first 
computer device and the second computer device." see column 12, line 66 to column 
16, line 39. 

Regarding claim 13, Nessett meets the claimed limitations as follows: 
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"A method according to claim 9, wherein the step of using said obtained information to 
modify the operation of the tunnelling of packets comprises the substep of introducing 
an address translation after the decapsulation of packets in order to compensate for the 
network address translations that occur on packets transmitted between the first 
computer device and the second computer device." see column 15, line 63 to column 
16, line 39. 

Regarding claim 14, Nessett meets the claimed limitations as follows: 
"A method for tunnelling packets between a first computer device and a second 
computer device through a packet-switched data transmission network comprising 
intermediate computer devices, in which data transmission network there exists a 
security protocol comprising a key management connection that employs a specific 
packet format for key management packets, the method comprising the steps of: 

encapsulating data packets that are not key management packets into said 
specific packet format for key management packets, 

transmitting said data packets encapsulated into the specific packet format from 
the first computer device to the second computer device, 

discriminating at the second computer device the data packets encapsulated into 
the specific packet format from actual key management packets and 

decapsulating the data packets encapsulated into the specific packet format." 
see column 7, lines 8-33; column 13, line 32 to column 38, line 15 and Figure 1. 

Regarding claim 15, Nessett meets the claimed limitations as follows: 
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U A method according to claim 14, wherein the step of encapsulating data packets that 
are not key management packets comprises the substeps of: 

encapsulating data packets that are not key management packets into a key 
management packet format specified by the Internet Key Exchange protocol which 
defines a certain Initiator Cookie field and 

inserting into the Initiator Cookie field of an encapsulated data packet a value 
indicating that the encapsulated packet is a data packet and not a key management 
packet." see column 32, line 1 1 to column 33, line 39. 

Regarding claim 16, Nessett meets the claimed limitations as follows: 
"A method for securely communicating packets between a first computer device and a 
second computer device through a packet-switched data transmission network 
comprising intermediate computer devices, where at least one of said computer devices 
performs a network address translation and/or a protocol conversion and where a 
security protocol exists comprising a key management connection, the method 
comprising the steps of: 

for determining what network address translations, if any, occur on packets 
transmitted between the first computer device and the second computer device: 
establishing a key management connection according to said security protocol between 
the first computer device and the second computer device; composing an indicator 
packet with a header part and a payload part of which both comprise the network 
addresses of the first computer device and the second computer device as seen by the 
node composing said packet; transmitting and receiving said indicator packet within the 
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key management connection; and comparing in the received indicator packet the 
addresses contained in the header part and the payload part, and 

using the information concerning the determined occurrences of network address 
translations to securely communicating packets between the first computer device and 
the second computer device." see column 7, lines 8-33; column 13, line 32 to column 
38, line 15 and Figure 1. 

Regarding claim 17, Nessett meets the claimed limitations as follows: 
"A method according to claim 16, wherein the security protocol determines a standard 
port number for a key management connection, and the method further comprises the 
step of comparing in the received indicator packet a source port number against said 
standard port number for a key management connection." see column 15, lines 42-47; 
column 29, lines 23-33; column 30, lines 9-33; and column 36, line 62 to column 38, line 
15. 

Regarding claim 18, Nessett meets the claimed limitations as follows: 
"A method for securely communicating packets between a first computer device and a 
second computer device through a packet-switched data transmission network 
comprising intermediate computer devices, where at least one of said computer devices 
performs a network address translation and/or a protocol conversion; where a security 
protocol is acknowledged which determines transport-mode processing of packets for 
transmission and reception; and where a high-level protocol checksum has been 
determined for checking the integrity of received packets, the method comprising the 
steps of: 
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at the first computer device, performing transport-mode processing for packets to 
be transmitted to the second computer device, 

at the second computer device, performing transport-mode processing for 
packets received from the first computer device, said transport-mode processing 
comprising the decapsulation of received packets and 

at the second computer device, updating the high-level protocol checksum for 
decapsulated packets for compensating for changes, if any, caused by network address 
translations." see column 7, lines 8-33; column 13, line 32 to column 38, line 15 and 
Figure 1 . 

Regarding claim 19, Nessett meets the claimed limitations as follows: 
"A method according to claim 18, wherein 

the step of performing transport-mode processing at the first computer device for 
packets transmitted to the second computer device takes the form of performing 
transport-mode processing as determined in the IPSEC protocol suite, and 

the step of performing transport-mode processing at the second computer device 
for packets received from the first computer device takes the form of performing 
transport-mode processing as determined in the IPSEC protocol suite." see column 21, 
line 1 to column 26, line 35. 

Regarding claim 20, Nessett meets the claimed limitations as follows: 
"A method according to claim 18, additionally comprising the steps of: 
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at the first computer device, after performing transport-mode processing for a 
packet to be transmitted to the second computer device, encapsulating the processed 
packet into a packet conforming to a certain second protocol, which second protocol is 
capable of traversing network address translations and 

at the second computer device, before performing transport-mode processing for 
a packet received from the first computer device, decapsulating the received packet 
from the packet conforming to said second protocol and replacing a number of network 
addresses in the decapsulated packet with a corresponding number of network 
addresses taken from the received packet before decapsulation." see column 21, line 1 
to column 26, line 35. 

Regarding claim 21 , Nessett meets the claimed limitations as follows: 
"A method according to claim 18, wherein the step of updating the high-level protocol 
checksum takes the form of recomputing the checksum for the 
transport-mode-processed packets." see column 23, lines 3-45. 

Regarding claim 22, Nessett meets the claimed limitations as follows: 
"A method according to claim 18, wherein the method additionally comprises the step of 
obtaining information about the network addresses of the first and second computer 
devices before and after network address translations, and the step of updating 
the high-level protocol checksum takes the form of incrementally updating the 
checksum based on the obtained information about the network addresses of the first 
and second computer devices before and after network address translations. " see 
column 21, line 1 to column 26, line 35. 
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Regarding claim 23, Nessett meets the claimed limitations as follows: 
"A method for maintaining the unchanged form of address translations performed by 
network address translation devices on encapsulated actual data packets transmitted 
with certain address information between a first computer device and a second 
computer device through a packet-switched data transmission network, the method 
comprising the step of: 

forcing at least one of the first computer device and the second computer device 
to transmit to the other computer device keepalive packets with address information 
identical to that of actual data packets at a high enough frequency so that network 

address translation devices constantly reuse the mappings used for network 
address translation even when a certain fraction of the packets communicated between 
the first computer device and the second computer device are lost in the network." see 
column 7, lines 8-33; column 13, line 32 to column 38, line 15 and Figure 1. 



The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

A. Boden et al (6,330,562) discloses a virtual private network where secure 
connections at the IP level are established through the IPSec protocol. 

B. Zhang et al (6,381,646) discloses a network address translations in a 
gateway. 



Conclusion 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Matthew B Smithers whose telephone number is (703) 
308-9293. The examiner can normally be reached on Monday-Friday (9:00-5:30) EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (703) 305-1830. The fax phone 
numbers for the organization where this application or proceeding is assigned are (703) 
746-7239 for regular communications and (703) 746-7238 for After Final 
communications. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 




Matthew B Smithers 
Primary Examiner 
Art Unit 21 34 



January 24, 2003 



